AST-2011-013 - http://downloads.asterisk.org/pub/security/AST-2011-013.pdf Summary: Possible remote enumeration of SIP endpoints with differing NAT settings Description: It is possible to enumerate SIP usernames when the general and user/peer NAT settings differ in whether to respond to the port a request is sent from or the port listed for responses in the Via header. In 1.4 and 1.6.2, this would mean if one setting was nat=yes or nat=route and the other was either nat=no or nat=never. In 1.8 and 10, this would mean when one was nat=force_rport or nat=yes and the other was nat=no or nat=comedia. Corrected In: As this is more of an issue with SIP over UDP in general, there is no fix supplied other than documentation on how to avoid the problem. The default NAT setting has been changed to what we believe the most commonly used setting for the respective version in Asterisk 1.4.43, 1.6.2.21, and 1.8.7.2. AST-2011-014 - http://downloads.asterisk.org/pub/security/AST-2011-014.pdf Summary: Remote crash possibility with SIP and the “automon” feature enabled Description: When the “automon” feature is enabled in features.conf, it is possible to send a sequence of SIP requests that cause Asterisk to dereference a NULL pointer and crash. Corrected In: Asterisk Open Source 1.6.2.21, 1.8.7.2
+*asterisk-10.0.0_rc3 (12 Dec 2011) + + 12 Dec 2011; Tony Vroon <chainsaw@gentoo.org> -asterisk-10.0.0_rc2.ebuild, + -asterisk-10.0.0_rc2-r1.ebuild, +asterisk-10.0.0_rc3.ebuild: + Security update addresses AST-2011-013 (disparate general/peer NAT settings + exposing valid usernames) and AST-2011-014 (null pointer derefence in INFO + command reply if automon feature is enabled). Cull the 10 branch by removing + vulnerable ebuilds. For security bug #394095. +*asterisk-1.8.7.2 (12 Dec 2011) + + 12 Dec 2011; Tony Vroon <chainsaw@gentoo.org> -asterisk-1.8.7.1-r1.ebuild, + -asterisk-1.8.7.1-r2.ebuild, +asterisk-1.8.7.2.ebuild: + Security update addresses AST-2011-013 (disparate general/peer NAT settings + exposing valid usernames) and AST-2011-014 (null pointer dereference in INFO + command reply if automon feature is enabled). Cull the 1.8 branch by removing + vulnerable ebuilds except current stable. For security bug #394095. Arches, please test and mark stable: =net-misc/asterisk-1.8.7.2 Target KEYWORDS="amd64 x86" For testing, please try several USE-flag combinations and see if the resulting binary can be stopped and started for several cycles on the default configuration files. The wrapper will inform you if the binary failed to start or stop normally, which is a test failure.
C3 because will not happen with default config. I have filed bug 394459. It is not a blocker.
amd64: gentoo64 asterisk # USE="alsa bluetooth caps iconv ldap samples usb vorbis -ais -calendar curl -dahdi -debug -doc -freetds -gtalk -http -jabber -jingle -lua -mysql -newt odbc -osplookup -oss -portaudio -postgres -radius -snmp span speex sqlite -sqlite3 -srtp -static -syslog" emerge asterisk gentoo64 asterisk # /etc/init.d/asterisk restart * asterisk: waiting for net.wlan0 (50 seconds) * WARNING: asterisk is scheduled to start when net.wlan0 has started gentoo64 asterisk # /etc/init.d/asterisk restart * Killing wrapper script ... [ ok ] * Stopping asterisk PBX gracefully ... [ ok ] * Starting asterisk PBX ... * Core dump size : unlimited * Core dump location : /var/lib/asterisk/coredump * Max open filedescriptors : 4096 * Starting asterisk as : asterisk [ ok ] all system good all system go
Works too for me. Stable for AMD64, thanks Ian.
CVE-2011-4598 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4598): channels/chan_sip.c in Asterisk Open Source 1.6.2.x before 1.6.2.21 and 1.8.x before 1.8.7.2, when automon is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted sequence of SIP requests. CVE-2011-4597 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4597): The SIP over UDP implementation in Asterisk Open Source 1.4.x before 1.4.43, 1.6.x before 1.6.2.21, and 1.8.x before 1.8.7.2 uses different port numbers for responses to invalid requests depending on whether a SIP username exists, which allows remote attackers to enumerate usernames via a series of requests.
x86 stable, all arches done.
@security, please vote.
Thanks, folks. GLSA Vote: no.
GLSA vote: no. Closing [noglsa]
